DNSTOP – Stay on top of your DNS Traffic

Sponsored Link
dnstop is a libpcap application (ala tcpdump) that displays various tables of DNS traffic on your network. Currently dnstop displays tables of:

Source IP addresses
Destination IP addresses
Query types
Response codes
Top level domains
Second level domains
Third level domains

dnstop supports both IPv4 and IPv6 addresses.

To help find especially undesirable DNS queries, dnstop provides a number of filters. The filters tell dnstop to display only the following types of queries:

For unknown/invalid TLDs
A queries where the query name is already an IP address
PTR queries for RFC1918 address space
Responses with code REFUSED

dnstop can either read packets from the live capture device, or from a tcpdump savefile.

Install DNSTOP on ubuntu

Open the terminal and run the following comamnd

sudo apt-get install dnstop


dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval] [device] [savefile]

Command line Options

The options are as follows:

-4 -- count only messages with IPv4 addresses
-6 -- count only messages with IPv6 addresses
-Q -- count only DNS query messages
-R -- count only DNS reply messages
-a -- anonymize addresses
-b expression -- BPF filter expression default: udp port 53)
-i address -- ignore select addresses
-p -- Do not put the interface into promiscuous mode.
-r -- Redraw interval (seconds).
-l level -- keep counts on names up to level domain name levels.

For example, with -l 2 (the default), dnstop will keep two tables: one with top-level domain names, and another with second-level domain names. Increasing the level provides more details,but also requires more memory and CPU.

-f -- input filter name

The "unknown-tlds" filter includes only queries for TLDs that are bogus.Useful for identifying hosts/servers that leak queries for things like "localhost" or "workgroup."

The "A-for-A" filter includes only A queries for names that are already IP addresses. Certain Microsoft Windows DNS servers have a known bug that forward these queries.

The "rfc1918-ptr" filter includes only PTR queries for addresses in RFC1918 space. These should never leak from inside an organi-zation.

The "refused" filter, when used with the -R option, tells dnstop to count only replies with rcode REFUSED.

The "qtype-any" filter tells dnstop to count only message of type ANY.

-n name -- Only count messages within the domain name

-P -- Print "progress" messages on stderr when in non-interactive mode.

-B buckets -- Use buckets hash table buckets.

-X -- Do not tabulate the sources + query name counters. This can significantly reduce memory usage on busy servers and large save files.

savefile -- a captured network trace in pcap format

device -- ethernet device (ie fxp0)


dnstop eth0

sample output


Sponsored Link

You may also like...

Leave a Reply

Your email address will not be published.